[cosmo-dev] Bug 11175: : in username causes chaos

Travis Vachon travis at osafoundation.org
Mon Nov 26 13:59:35 PST 2007 

On Nov 26, 2007, at 1:39 PM, Brian Moseley wrote:

> On Nov 26, 2007 1:06 PM, Travis Vachon <travis at osafoundation.org>  
> wrote:
>
>> The official BNF definition of the HTTP Basic Auth userid is:
>>
>>      userid      = *<TEXT excluding ":">
>>
>> where TEXT is defined in rfc2616 as follows:
>>
>>    The TEXT rule is only used for descriptive field contents and  
>> values
>>    that are not intended to be interpreted by the message parser.  
>> Words
>>    of *TEXT MAY contain characters from character sets other than  
>> ISO-
>>    8859-1 [22] only when encoded according to the rules of RFC 2047
>>    [14].
>>
>>        TEXT           = <any OCTET except CTLs,
>>                         but including LWS>
>
> this implies that colon is legal if it's encoded. have you looked at
> our supported browsers to see what they do when you present them with
> usernames including colon? do they use quoted-printable or base64 to
> encode it?

Pointing Firefox at a resource protected by Basic Auth and entering  
"travis:too" in the username field and "testing" in the password field  
causes it to send an Authorization header like:

Authorization: Basic dHJhdmlzOnR3bzp0ZXN0aW5n

Decoding that gives:

 >>> base64.b64decode("dHJhdmlzOnR3bzp0ZXN0aW5n")
'travis:two:testing'


So short answer (for Firefox) is no, no special encoding. FWIW, the  
encoding they mention from RFC 2047 looks like:

=?iso-8859-1?q?this=20is=20some=20text?=

and is really made for encoding non-ISO-8859-1 characters, which : is  
not. If you think it might be fruitful to dig into this further  
however I'd be happy to look into it.

>
>
>> Given this I'd like to propose that we officially disallow : in
>> Chandler Server usernames. Any thoughts?
>
> it would be extremely lame to have the acceptable syntax be "any utf-8
> character except colon". imo it should either be "any utf-8" character
> or something very restrictive and url-safe like [A-Za-z0-9\0_].

I agree it would be kind of ugly to say this, but given that we have  
some production accounts with unicode in the usernames we'd need to  
discuss a coherent policy for moving away from newly-unsupported  
characters. Given that we have a few other unicode-in-username bugs  
this might not actually effect too many users. Jared - any thoughts or  
insights on what kind of an end-user impact moving to only url-safe  
characters in usernames might have?

-Travis

More information about the cosmo-dev mailing list